Technical Workshops

Designing an Enterprise GIS Security Strategy

Michael Young

CISSP

Agenda

• Introduction

• ESRI Strategy

• Deployment Patterns

• Trends

• Enterprise-wide Mechanisms

• Product Options- ArcGIS Server

- Desktop

- Mobile

- Cloud Computing

• Summary

Introduction

Introduction

- Michael E Young

- ESRI Senior Enterprise Security Architect

- Enterprise Implementation Services Team (EIST)

- FISMA C&A Application Security Officer

- Certified Information Systems Security Professional (CISSP)

as appropriate

Introduction

• Question- Are you happy with your current security?

• 2009 DOE National Lab Security Maxim list- True 80-90% of time

- The “So We’re In Agreement” Maxim

- If you’re happy with your security, so are the bad guys

Introduction

• What about…- Enterprise component integration?

- Directory Services / LDAP / MS Active Directory

- Standards, Certifications & Regulations?

- FDCC / FISMA / DITSCAP

- User Interfaces?

- ADF, MS Silverlight, Adobe Flex, JavaScript, Rich Clients

- Application vs. security products?

- ArcGIS Token Service / 3rd Party Single-Sign-On products

Don’t focus on trying to implement a security silver bullet

ESRI’s Security Strategy

ESRI’s Security Strategy

Isolated Systems

ESRI Products

IT Trend

Integrated Systemswith discretionary access

Discrete products and services with3rd party security Enterprise platform and services with

embedded and 3rd party security

ESRI’s Security Strategy

• Secure GIS Products- Incorporate security industry best practices

- Trusted geospatial services across the globe

- Meet needs of individual users and entire organizations

• Secure GIS Solution Guidance- Enterprise Resource Center

- http://resources.arcgis.com/

- ESRI security patterns

ESRI’s Security Strategy

• CIA Security Triad- Confidentiality

- Integrity

- Availability

• Defense in Depth- Layers of security across your enterprise

ESRI’s Security Strategy

ESRI’s Security Strategy

• ESRI security implementation patterns- Best practice security guidance

• Leverage- National Institute of Standards and Technology (NIST)

• Based on risk level- First identify your risk level

To prioritize information security and privacy initiatives, organizations must assess their business needs and risks

Secure GIS Patterns

Secure GIS Patterns

• How does a customer choose the right pattern?

- Formal – NIST Security Categorization Process

- NIST SP 800-60 Publication

- Informal – Simple scenarios ESRI customers can relate to

Secure GIS Patterns

• Basic

- No sensitive data – public information

- All architecture tiers can be deployed to one physical box

• Standard

- Moderate consequences for data loss or integrity

- Architecture tiers are separated to separate systems

- Potential need for Federated Services

• Advanced

- Sensitive data

- All components redundant for availability

- 3rd party enterprise security components utilized

Basic

Standard

Advanced

Secure GIS Patterns

• Common Attributes

- Utilize data and API downloads from public clouds

- Secure services with ArcGIS Token Service

- Separate internal systems from Internet access with DMZ

- Reverse Proxy to avoid DCOM across firewalls

Basic

Secure GIS Patterns

• Web Application Firewall on Reverse Proxy

• Dynamic ArcGIS Tokens

• Separate tiers w/VLANs - Web, Database and Management

• Multi-Factor authentication for External users

• Separate Management traffic connections

• Redundant components

• Local copies of all high-availability data

• Install API’s on Local ArcGIS Server for Internal Users

• Intrusion Prevention/Detection Systems

• Lock down ports, protocols, services (Hardening Whitepaper)

• Standardize system images (SMS Whitepaper)

• Host-based firewalls on systems

• Browser plug-in restrictions

Standard

Secure GIS Patterns

• Minimal reliance on external data/systems

• Separate datasets (e.g. Public, Employees, Employee Subset)

• Consider explicit labels

• Clustered Database w/Transparent Data Encryption

• 3rd party security products for HTTP/HTTPS

• Public Key Infrastructure (PKI) certs

• Local user access via Multi-Factor Authentication

• Remote user access via Hardware Token Multi-Factor

• Network connections redundant w/ IPSec between servers

• SSL/TLS between Clients and Servers (Web and Rich Clients)

• Network Access Control (NAC)

Advanced

Security Trends

# Cyber Security Articles Over Time

Security Trends

Individuals

Security Trends

Multinational Networks

Get Attention of President

Security Trends

Corporate America Attacks

Active Legislation

Security Trends

• 2009 CSI Survey

- Big jumps

- Password sniffing

- Financial fraud

- Malware infection

- Key solutions

- Log Management

- Dashboards

Enterprise-wide Security Mechanisms

Enterprise-Wide Security Mechanisms

Enterprise-Wide Security Mechanisms

• Web Traffic via HTTP1. Web Services

2. Web Applications

• Intranet Traffic via DCOM 3. Local Connections

Enterprise-Wide Security Mechanisms

Access Restricted

Authentication Method

Protocol Description Encryption

Web Service orWeb Application

None HTTP Default Internet Connections N/A

BasicDigestWindows Integrated

HTTP (SSL optional)

Browser built-in pop-up login dialog box.

Basic None, unless using SSL

Java EE ContainerHTTP(SSL optional)

Web container provides challenge for credentials

Container Managed

Client Certificates PKI Smart Cards

HTTPS Server authenticates client using a public key certificate

PKI Managed

Web Application Only

.NET Form-based HTTP(SSL optional)

Application provides its own custom login and error pages.

None, unless using SSL

Java ArcGIS ManagedHTTP(SSL optional)

ArcGIS Server provides login page for Java Web App

None, unless using SSL

Web ServiceOnly

ESRI TokenHTTP(SSL optional)

Cross Platform, Cross API Authentication

AES-128bit

Local Windows Integrated DCOMDefault Local Connections OS GroupsAGSUser. AGSAdmin

OS Managed

Enterprise-Wide Security Mechanisms

• User and Role Storage (also called Principle Store)

• Java Security Store Options

- Default – Apache Derby

- External Database

- LDAP

- MS Active Directory

• .NET Security Store Options

- Default - Windows Users and Groups

- MS SQL Server Express

- Custom Provider

- Instructions for Active Directory and Oracle Providers available

Users Roles

JohnCindyJim

LimitedAdmin

Regions

Enterprise-Wide Security Mechanisms

• ESRI COTS

- Service Level Authorization across web interfaces

- ArcGIS Manager App Assigns Access

- Services grouped in folders utilizing inheritance

• 3rd Party

- RDBMS – Row Level or Feature Class Level

- Multi-Versioned instances may significantly degrade RDBM performance

- SDE Views

• Custom - Limit GUI

- Rich Clients via ArcObjects

- Web Applications

- Check out sample code – Link in ERC: Common Security

- Try out Microsoft’s AzMan tool

Enterprise-Wide Security Mechanisms

• Firewalls

• Reverse Proxy- Common implementation option

- MS free reverse proxy code for IIS 7 (Windows 2008)

• Web Application Firewall- ModSecurity can significantly reduce attack surface

• Anti-Virus Software

• Intrusion Detection / Prevention Systems

• Limit applications able to access geodatabase

Enterprise-Wide Security Mechanisms

• Reverse proxy obfuscates internal systems

– Add Web Application Firewall (WAF) for better protection

– Communication between proxy and web server can be any port

• File Geodatabase in DMZ– One-way replication via HTTP(s)

– Deploy on each web server for optimal throughput/performance

– Internet users only have access to a subset of entire Geodatabase

Reverse proxy / WAF

IntranetDMZ

RDBMS

Web

GIS

HTTP

DCOM

SQL

Use

Author &PublishFGDB

Web

GIS

Internet

HTTP

HTTP

Enterprise-Wide Security Mechanisms

- Network

- IPSec (VPN, Internal Systems)

- SSL (Internal and External System)

- File Based

- Operating System – BitLocker

- GeoSpatially enabled PDF’s combined with Certificates

- Hardware (Disk)

- RDBMS

- Transparent Data Encryption

- Low Cost Portable Solution - SQL Express 2008 w/TDE

Enterprise-Wide Security Mechanisms

• ESRI COTS- Geodatabase history

- May be utilized for tracking changes

- ArcGIS Workflow Manager

- Track Feature based activities

- ArcGIS Server 10 Logging

- New “user” tag allows tracking of user requests

• 3rd Party- Web Server, RDBMS, OS, Firewall

Product Security Options

ArcGIS Server

Desktop

Mobile

Cloud Services

ArcGIS Server Security

ArcGIS Server Security

• Is Communication Across Wire Secure by Default?- No

- Communication via ArcGIS Server and all clients is clear-text by default

- Secure web communication with an SSL Certificate

- Secure internal DCOM communication with IPSec

ArcGIS Server Security

• Is a reverse proxy required?- No

- Some customers implement to eliminate DCOM traffic across firewalls

- Used with Web Application Firewall improves security posture

ArcGIS Server Security

• Is there Security Hardening Guidance?- Yes

- Check out the ERC Implementation Gallery

- Next update expected by end of 2010 - Version 10 Win 2k8

ArcGIS Server Security

• Should I assign the Everyone group to the root in ArcGIS Manager?- Depends

- Everyone will have access to your services by default

- OK for Basic security risk environments

- NOT recommended for any Standard or Advanced security

- Deny by default used in higher risk environments

ArcGIS Server Security

• Can I provide security more granular then service level?- Yes

- Now – SDE Views or 3rd Party Software

- Potential future option - integrated security model

Integrated Security Model

New Integrated Security Model

• New ArcGIS Server Configuration Option- End user identity flows through all architecture tiers

• What’s the big deal?- Fine grained access control / row-level security

- Single interface controls HTTP and DCOM Connections

- Improved non-repudiation

• Current release status- Collecting customer use cases

- Validation can lead to production support

- Outstanding concerns

- Performance, scalability, usefulness

New Integrated Security Model

1. Centralized security management

- Both Local (DCOM) and Internet (HTTP) connections

- Utilizes ArcGIS Manager and Windows Integrated Security

2. Flow web user identity to database via proxy user

- Logging - Non-repudiation across all architecture tiers for high risk security environments

- Row-Level Security - Database driven security model for high-risk security environments

3. Utilize a custom Server Object Extension (SOE)

- Makes use of user context for requests

- Potential Feature Level Security Functionality

Integrated Security Model

Web Service User with Permissions to both High (Red) and Low (Green) Features

Integrated Security Model

As Expected: Web service user with Low access only shows Green (Low)Paradox: Lack of information can be information. Road gaps above can be intuitively “filled in”

Desktop Security

Desktop Security

• Client typically with most access to sensitive data

• Variety of system connections- Direct Connect – RDBMS

- Application Connect – SDE

- HTTP Service – GeoData Service

- Integration with Token Service

- Windows native authentication

- SSL and IPSec Utilization

• ArcObject Development Options- Record user-initiated GIS transactions

- Fine-grained access control

- Edit, Copy, Cut, Paste and Print

Geospatial Cloud Computing Security

Geospatial Cloud Security

• Is Cloud computing safe?- Classic answer: It depends…

• Security Benefits- Virtualization / Automation

- Expedite secure configurations with images

- Broad network access

- Reduce removable media needs

- Segmentation - Public data -> Cloud & sensitive -> Internal

- Potential economies of scale

- Lower cost backup copies of data

- Self-service technologies

- Apply security controls on demand

Geospatial Cloud Security

• Vendor Practice Dependence

- Potential sub-standard security controls -> vulnerabilities

- Loss of governance / physical control over data

• Vendor Lock-In

- Data loss upon services termination

- Lack of tools, procedures, and standards to ensure portability

- Hostage to vendor cost increases, due to lost internal abilities

• Sharing computing resources (Multi-tenancy)

- Intentionally/unintentionally gain access to other’s data

- Unclear responsibilities during a security incident

- Increased data transmitted = Increased disclosure risk

• Threat exposure varies with Deployment Model

- Private = Lowest Community = More Highest = Public

Geospatial Cloud Security

• System Admin Access (IaaS)- ArcGIS Server on Amazon EC2

- Federal Terremark Cloud

- Private Cloud

• Developer Access (PaaS)- ESRI Web Mapping APIs (JavaScript, Flex, Silverlight)

- Microsoft Azure ArcGIS Applications

• End User Solutions (SaaS)- ArcGIS.com

- Business Analyst Online

- ArcGIS Explorer Online

Geospatial Cloud Security

• Cloud Deployment Location- Public (e.g Amazon)

- Private (e.g. Internal Corporate)

• Primary driver -> Security

• June 2010 IDC IT Executive Survey- Preference for using a private versus a public cloud

- 55% - Private cloud was more appealing than a public cloud

- 22% - Equally appealing

Geospatial Cloud Security

• Assess your security needs- Data sensitivity

- Public domain, sensitive, classified

- User types

- Public, internal

- Categorize security needs

- Basic, standard, advanced

• Most public cloud implementations are basic- Security similar to social networking sites (Facebook)

- Most GIS users have only basic security needs

Geospatial Cloud Security

• Data Location- International concerns with Patriot Act

- Some Cloud providers don’t assure location

- Amazon can

- Google does not

• Identity Management- Long-term vision formulating

- National Strategy for Trusted Identities (Released 6/25/10)

• Shared Responsibility Model- Details not delineated

- Regulatory compliance questionable

Geospatial Cloud Security

• Similar to internal ops- Break up tiers

- Protect in transit

- Protect at rest

- Credential management

- Built-in OS Firewalls

- AGS App Security

Geospatial Cloud Security

• Web and App Tiers combined

• Scaling out info in Help

• What about supporting infrastructure?

Default Deployment

Scaling Out

Geospatial Cloud Security

• Minimize your administrative attack surface

Geospatial Cloud Security

• Option 1

- Virtual Private Cloud (VPC)

- What: Connect Enterprise to Amazon Cloud via IPSec

- Scenario: EC2 instances controlled by your enterprise and establishing a VPN between locations is feasible

- Status: Utilizes auth steps as ArcGIS Server On-Premise

Geospatial Cloud Security

• Option 2

- Federated Services

- What: ArcGIS Access must traverse WIF

- Scenario: No VPN tunnel allowed and don’t want EC2 instance authentication directly against enterprise domain

- Status: Not validated with ArcGIS Server yet

Geospatial Cloud Security

• ArcGIS Server on Amazon EC2

- AMI not hardened beyond Windows 2008 Server defaults

- Looking into security hardened AMI

- Tell us your benchmark requirements

- Basic ESRI Online Help guidance

- Amazon Security Best Practices (Jan 2010)

• ArcGIS.com Sharing Content

- Online Help – Sharing Content / Participating in Groups

- Recent SAS70 review of ESRI hosting services

• Upcoming ESRI Geospatial Cloud Security Whitepaper

- Expect before end of 2010

Mobile Phone Security

Mobile Phone Security

• More - Platforms

- ArcPad

- ArcGIS Mobile

- iPhone

- Android

- Functionality/Storage

- User-base

• Leads to- Increased Hacker Attention

Mobile Phone Security

• AXF Data file- Password protect and encrypt

• Memory Cards- Encrypt

• ArcGIS Server users and groups- Limit publishers

• Internet connection- Secure ArcPad synch traffic

Mobile Phone Security

• GeoData Service- HTTPS (SSL) or VPN tunnel

• Utilization of Token Service

• Web Service- Credentials

- Filter by OS / IP / Unique Device Identifier

• Encrypt data at Rest- Windows Mobile Crypto API

- 3rd Party tools for entire storage system

Summary

Summary

1. Identify your Security Needs

- Assess your environment

- Utilize patterns

2. Understand Current Security Trends

3. Understand Security Options

- Enterprise GIS Resource Center

- Enterprise-wide Security Mechanisms

- Application Specific Options

4. Implement Security as a Business Enabler

- Improve appropriate availability of information

Summary

• ArcGIS Server Application Security UC Sessions- Securing Your ArcGIS Server for the MS .NET Framework

- Wed 10:15am-11:30

- Thurs 8:30am-9:45

- Java Session Cancelled

- Please see the Enterprise GIS Resource Center

- Dev Summit 2010 Java Security Video

• Professional Services Offering- Enterprise GIS Security Review

- http://www.esri.com/services/professional-services/implementation/enterprise.html

Summary

• ESRI Enterprise GIS Resource Center (Security)

- http://resources.arcgis.com/content/enterprisegis/10.0/security

• Understanding the Spreading Patterns of Mobile Phone Viruses

- http://www.sciencemag.org/cgi/data/1167053/DC1/1

• CSI Computer Crime and Security Survey 2009

- http://gocsi.com/survey

• Web Browser Security Test Results Summary: Q1 2010

- http://nsslabs.com/test-reports/NSSLabs_Q12010_BrowserSEM_Summ_FINAL.pdf

• Windows on Amazon EC2 Security Guide

- http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1767

Summary

• NIST Information Security Publication Website

- http://csrc.nist.gov/publications/PubsSPs.html

• Providing SSO To Amazon EC2 From An On-Premises Windows Domain

- http://download.microsoft.com/download/6/C/2/6C2DBA25-C4D3-474B-8977-

E7D296FBFE71/EC2-Windows%20SSO%20v1%200--Chappell.pdf

• DOE Argonne National Labs Security Maxims

- http://www.ne.anl.gov/capabilities/vat/pdfs/security_maxims.pdf

• GAO Guidance Needed with Implementing Cloud Computing

- http://www.gao.gov/new.items/d10513.pdf

Summary

Contact Us At:

Enterprise Security esinfo@esri.com

Michael Young myoung@esri.com